From d54729d36075058e130940353b7043780fc01c7a Mon Sep 17 00:00:00 2001
From: TheArcaneBrony <myrainbowdash949@gmail.com>
Date: Thu, 7 Sep 2023 01:04:56 +0200
Subject: Add nginx to container

---
 .../containers/pluralcontactbotpoc/conduit.nix     |  33 -------
 .../containers/pluralcontactbotpoc/root.nix        |   4 +-
 .../pluralcontactbotpoc/services/conduit.nix       |  33 +++++++
 .../pluralcontactbotpoc/services/nginx.nix         | 107 +++++++++++++++++++++
 4 files changed, 142 insertions(+), 35 deletions(-)
 delete mode 100755 host/Rory-nginx/services/containers/pluralcontactbotpoc/conduit.nix
 create mode 100755 host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
 create mode 100755 host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix

diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/conduit.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/conduit.nix
deleted file mode 100755
index f2fdad6..0000000
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/conduit.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ config, pkgs, lib, conduit, ... }:
-
-{
-  services.matrix-conduit = {
-    package = conduit.packages.${pkgs.system}.default;
-    enable = true;
-    settings.global = {
-      address = "127.0.0.1";
-      server_name = "pcpoc.rory.gay";
-      database_backend = "rocksdb";
-      enable_lightning_bolt = true;
-      max_concurrent_requests = 1000;
-      allow_check_for_updates = false;
-      allow_registration = false;
-    };
-  };
-  systemd.services.matrix-conduit-reg-token = {
-      description = "Random registration token for Conduit.";
-      before = ["conduit.service"]; # So the registration can be used by Conduit.
-      after = ["matrix-synapse-reg-token.service"];
-
-      script = ''
-        mkdir -p /run/systemd/system/conduit.service.d
-        echo Environment=\"CONDUIT_REGISTRATION_TOKEN=$(cat /var/lib/matrix-synapse/registration_shared_secret.txt)\" > /run/systemd/system/conduit.service.d/override.conf
-        systemctl daemon-reload'';
-      serviceConfig = {
-        User = "root";
-        Group = "root";
-      };
-    };
-  system.stateVersion = "22.11"; # DO NOT EDIT!
-}
-
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
index 537a438..2c0d901 100755
--- a/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/root.nix
@@ -3,8 +3,8 @@
 {
   imports =
     [
-      #./nginx.nix
-      ./conduit.nix
+      ./services/nginx.nix
+      ./services/conduit.nix
     ];
 
   system.stateVersion = "22.11"; # DO NOT EDIT!
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
new file mode 100755
index 0000000..f2fdad6
--- /dev/null
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/conduit.nix
@@ -0,0 +1,33 @@
+{ config, pkgs, lib, conduit, ... }:
+
+{
+  services.matrix-conduit = {
+    package = conduit.packages.${pkgs.system}.default;
+    enable = true;
+    settings.global = {
+      address = "127.0.0.1";
+      server_name = "pcpoc.rory.gay";
+      database_backend = "rocksdb";
+      enable_lightning_bolt = true;
+      max_concurrent_requests = 1000;
+      allow_check_for_updates = false;
+      allow_registration = false;
+    };
+  };
+  systemd.services.matrix-conduit-reg-token = {
+      description = "Random registration token for Conduit.";
+      before = ["conduit.service"]; # So the registration can be used by Conduit.
+      after = ["matrix-synapse-reg-token.service"];
+
+      script = ''
+        mkdir -p /run/systemd/system/conduit.service.d
+        echo Environment=\"CONDUIT_REGISTRATION_TOKEN=$(cat /var/lib/matrix-synapse/registration_shared_secret.txt)\" > /run/systemd/system/conduit.service.d/override.conf
+        systemctl daemon-reload'';
+      serviceConfig = {
+        User = "root";
+        Group = "root";
+      };
+    };
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix
new file mode 100755
index 0000000..2f4d8cf
--- /dev/null
+++ b/host/Rory-nginx/services/containers/pluralcontactbotpoc/services/nginx.nix
@@ -0,0 +1,107 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services = {
+    nginx = {
+      enable = true;
+      #package = pkgs.nginxQuic;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedZstdSettings = true;
+      recommendedGzipSettings = true;
+      recommendedBrotliSettings = true;
+      recommendedOptimisation = true;
+      appendConfig = ''
+        worker_processes 16;
+        '';
+       eventsConfig = ''
+        #use kqueue;
+        worker_connections 512;
+        '';
+      appendHttpConfig = ''
+        #sendfile on;
+        disable_symlinks off;
+      '';
+      additionalModules = with pkgs.nginxModules; [
+        moreheaders
+      ];
+      virtualHosts = {
+        "pcpoc.rory.gay" = {
+          enableACME = true;
+          addSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:6167"; 
+            extraConfig = ''
+              if ($request_method = 'OPTIONS') {
+                more_set_headers 'Access-Control-Allow-Origin: *';
+                more_set_headers 'Access-Control-Allow-Methods: *';
+                #
+                # Custom headers and headers various browsers *should* be OK with but aren't
+                #
+                more_set_headers 'Access-Control-Allow-Headers: *';
+                #
+                # Tell client that this pre-flight info is valid for 20 days
+                #
+                more_set_headers 'Access-Control-Max-Age: 1728000';
+                more_set_headers 'Content-Type: text/plain; charset=utf-8';
+                more_set_headers 'Content-Length: 0';
+                return 204;
+              }
+            '';
+          };
+          locations."= /.well-known/matrix/server".extraConfig = ''
+            more_set_headers 'Content-Type application/json';
+            more_set_headers 'Access-Control-Allow-Origin *';
+            return 200 '${builtins.toJSON {
+              "m.server" = "pcpoc.rory.gay:443";
+            }}';
+          ''; 
+          locations."= /.well-known/matrix/client".extraConfig = ''
+            more_set_headers 'Content-Type application/json';
+            more_set_headers 'Access-Control-Allow-Origin *';
+            return 200 '${builtins.toJSON {
+              "m.homeserver".base_url = "https://pcpoc.rory.gay";
+            }
+            }';
+          ''; 
+          locations."= /.well-known/matrix/support".extraConfig = ''
+            more_set_headers 'Content-Type application/json';
+            more_set_headers 'Access-Control-Allow-Origin *';
+            return 200 '${builtins.toJSON {
+              admins = [
+                  {
+                    matrix_id = "@emma:rory.gay";
+                    role = "admin";
+                  }
+                  {
+                    matrix_id = "@alicia:rory.gay";
+                    role = "admin";
+                  }
+                  {
+                    matrix_id = "@root:rory.gay";
+                    role = "admin";
+                  }
+                  {
+                    matrix_id = "@rory:rory.gay";
+                    role = "admin";
+                  }
+                ];
+              }
+            }';
+          '';
+        };
+      };
+    };
+  };
+  systemd.services.nginx.serviceConfig = {
+    LimitNOFILE=5000000;
+  };
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "root@rory.gay";
+
+  environment.systemPackages = with pkgs; [
+    #gitfs
+  ];
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
-- 
cgit 1.4.1